hxxp://steamcommunity[.]com/gift/906353439838

Analysis

max time kernel
67s
max time network
74s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20-02-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://steamcommunity.com/gift/906353439838

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133529439674706604"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1632	chrome.exe
1632	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1120	1632	chrome.exe	80
PID 1632 wrote to memory of 1120	1632	chrome.exe	80
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 3364	1632	chrome.exe	83
PID 1632 wrote to memory of 2148	1632	chrome.exe	84
PID 1632 wrote to memory of 2148	1632	chrome.exe	84
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85
PID 1632 wrote to memory of 2680	1632	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://steamcommunity.com/gift/906353439838
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbe81f9758,0x7ffbe81f9768,0x7ffbe81f9778
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1796,i,3838466143072709101,2958710328901183815,131072 /prefetch:2
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1796,i,3838466143072709101,2958710328901183815,131072 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 --field-trial-handle=1796,i,3838466143072709101,2958710328901183815,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2840 --field-trial-handle=1796,i,3838466143072709101,2958710328901183815,131072 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2832 --field-trial-handle=1796,i,3838466143072709101,2958710328901183815,131072 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1796,i,3838466143072709101,2958710328901183815,131072 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3188 --field-trial-handle=1796,i,3838466143072709101,2958710328901183815,131072 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1796,i,3838466143072709101,2958710328901183815,131072 /prefetch:8
  2⤵
  PID:772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
b62b2dba458b77076c28a864728ba16a

SHA1
3348c6ebae27a12fbeaadc08ca50597bf884d554

SHA256
036bb90b3c6f35cc29e3f54b9a441b5a97a434054fc6d1a719881cfc1e82d985

SHA512
9ac2d8a1e0f623626242108a9dc100a125d7a6065c21e3e1d9843e0a1be462c870d350833ed19fdd957c2c1d2b14e3e816942555d5e41316f5b19a35f39267b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6e0199d39a127b3a040e69318fd7b1f3

SHA1
c5948e704eb00ba05a9a25476e32537ab56b8844

SHA256
c7600c8eca2da5aeedf35e510f6902ca701bd58f3b103f1534a7af4e9bc4f9c0

SHA512
53b6abb8ac59bff5d621358ad454660902ccdacd267e066e06c2376034daa2a0959938dc7a413776cf9a53d3a30c080ba09e9e46f48fdef2ff2e500e590bea71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
875B

MD5
11a194cb49c82f6c1956fd3c7792e1b8

SHA1
172ddb378735fc243057fcb7e89cd3bbcbab1bd9

SHA256
3835bbc988d671d91e8c5f15a8bd10e2bf97a52573efd8f39d63a1b551c5c0a9

SHA512
e8cff72079c6d33f76cb23241aea0657e8e8f8286e34578a7b2bd272c340153f081d4e3ad58bccb0626c9fd1dd2f29839344bbb962acad31035f14af1c167ef8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a88e8b949d144aa59cc6194a73531edb

SHA1
89e8e6886412de83de63829f411a7dd6cb619574

SHA256
0c4eddf85d4248947cec1e5ec8f3194be0d9eb8f30ad38bcc988ad8e19b3bb75

SHA512
d000da345047179a7a4eee84e98c031ba2e63cea39e73767a4df442e63998e6119a5364a01869f6aa606bde6e86d3f320227d37c494f65de5d45dd193e27c612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
169f900ca9aab5f0583e08fda079363d

SHA1
ff457edcb772e59de5b841451d8dec30783cc238

SHA256
08ac2edfad5c9f05406e51fbcfe8768dc005a1af168a9f8e81129f6460e647c6

SHA512
f3b272014d1d6b047fa19c5d3975752c0e7f89b24e2d6e8492a10b8f7da14172ebeddb5b055aa6e997db70b5e6a52607d8d7397a5a263c5de974aede6cc75f4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
df2fc66412b73db216c5069d58efbedf

SHA1
38a248ab20120166f266048e782a0022d92a6b9e

SHA256
8b4e133f626dfd7b9d20048a7a4da50451c464dd46782d468080251f08b8375e

SHA512
f7bda25290e82dad2e07d261379baea68edea3b05f55f13d5e989993f5d4defee2162fd1f424fba4f23c9bb9a98aeea39275db04a8afb99307c11574f368f956

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit